#RSAC 2015

Last week we met with countless member of our community. We had some great conversations, and maybe even made a few new friends. The security community has grown up a lot in the last decade.

Unfortunately, last year was a painful one. Nobody needs to relive the numbers. And to be frank, what we've seen on display is a pretty strong indication of why - the level of innovation just isn't what we'd hoped for. Someone just yesterday said we've been putting out crap as an industry and it's got to stop. Mr. Yoran's keynote was equally blunt. There's a lot of truth to this - we have no cause to raise a case to the contrary. We can't.

We've seen a number of highly touted companies in the limelight fail quickly. We think there will be more of that this coming year, along with some consolidation in overlapping industries. Perhaps the Blackberry purchase of WatchDox is an indication, as noted by some analysts. We think so, especially given that #RSAC has some 500 exhibitors and in 2014 there were over 200 funding events in security alone. A lot of those companies will not make it. Easy predication, you say - only 1 in a hundred makes it, right? Or is it 20 out of 100? Depends on what you use to measure it - but 20 in 100, undoubtedly on the higher end of reality, would give us another 50 new companies.

How are we going to take on 50 new companies doing machine learning anti-APT, threat reporting services and whitelisting, 2nd factor authentication, magic encryption, and all the traditional things like firewalls, VPNs, and policy managers? Don't we have a lot of overlap already?

It's going to take some real innovation to get there. There's a fine line between a gimmick and an innovation. I'm not quite sure how to resolve a couple newcomers just yet, as they seem to be right on the line but time will of course tell.

In the meantime, I think we need to come to terms with a misnomer being promulgated to those who don't specialize in security. That area is in Executive awareness and perception. There seems to be this constant picture painted of the clueless Executive who, if only he or she would spend more money, wouldn't be suffering the painful results of all these breaches. This seemed to be a fairly consistent perspective on why budgets have been so inadequate.

Nonsense. First, I've never met a clueless CEO in my life. Sure, they're there - but they tend not to last very long. CEOs aren't unaware of security. They don't miss the significance of intellectual property disclosure. Not at all. What people seem to forget is they can't come right out and say, "Why should I spend $10M when all I see is people failing. I'll just wait until we get breached, pay the $2M, and move on with the $8M invested in growing our business in other places". Thanks to legal liability, there aren't a lot of CEOs flying that flag. Maybe we don't read about it more often so as not to offend or even state the obvious.

Either way, of the 80% or so that are being painted as clueless in this respect, probably 5 have some real learning to do and the other 75 know exactly what they are doing. That isn't going to change this year - until $10M gets a CEO a measurable result, IT security spending isn't going to grow at the astronomical rates we are always told it will. We're stuck at 6%, if that. Get used to it.

On top of that, we started to reflect on where we were as a company, and were asked many times why we started our company in the first place. Need. We've made some reference to it in our literature and our Company page - and yes, we want to make a difference and help stop the unbelievable frequency of data breaches that the general public - fortunately or not - isn't aware of. But there's more to it. We got into this game because we couldn't find what we wanted - that 80/20 option that was easy to deploy, which would help a company struggling with an APT buy some time while they built up a security team and put the investment into their efforts required to manage it on their own. We couldn't find it. There was always a, "But...".

So what is the real problem? As we looked at our proposition, and dug into some of the competitive pressures we encountered, on the surface we saw things that made us think, "Did we miss something?" But then when we really got down into details - which really doesn't take very long - there's always the, "But..." clause. It's that clause that got us into the game. For us, and our Endpoint Data Protections, and for what we saw, here are some of those Buts...

1. Protections apply only to Microsoft Office and Adobe PDF documents...2. You need to be sure you have rights to export your Active Directory...3. You will need SQL Server, and a machine with xyz to run it on...4. You have to tie your storage into SharePoint Workspace...5. You must deploy a suitable PKI service, which is beyond the scope of...6. We don't concern ourselves with the endpoint, we're focused on the cloud. The endpoint is someone else's problem (we got that today, verbatim)7. Face it, you're just selling an insurance policy, and you're in competition with exciting innovative R&D projects. They aren't going to fund you.8. What am I going to get out of this? Show me what these protections stop and what that's worth.

In looking at what's out there, and in talking to people and doing a competitive refresh, we've found that a lot of those, "But..." clauses still exist. And it hurts us too, because when we tell people what we do and the extent to which we do it, we get the eyeroll. We get the sigh. We get the, "there's no way you could do that - and even if you did, it wouldn't be effective against APTs". We got that one, too (almost verbatim; the chosen words are not appropriate to quote).

And it's unfortunate that we have to pay the price for the dishonesty committed by others. The path they blazed with intentional deceit all in the name of making a buck affects everyone - customers who are unfortunate victims of these antics, honest businesses trying to make a name for themselves, and those that are paid to come in and clean up the mess. Believe me, those guys aren't paid enough - they love what they do, and undoing the mess is always 10x harder than most people know (most certainly than the people paying the bills know). But they do it anyway, because they, not unlike us, don't agree with a world where people lie, cheat, steal, and take advantage of others to prevail.

That's the ironic thing about this business - for every crooked player, there are 3-4 honest people working behind the scenes wondering why they really feel Good Guys Always Finish Last. They don't - stay the course. Be like the people I've met and mentioned this week. Meet others that are like that, and keep them close.

And maybe in a few years you can start your own thing and be the next big shift we need in the business. We'll be there supporting you 100%, whether we compete or not. Give credit where it's due. Help others. Remain true to who you are and why you're in this business - not only will you sleep better at night, but those around you will sense it, see it, and your day will come. Just ask the people from @syncplicity and @ionic. They know and they proved it last week - and it's small acts like that which make us feel we as vendors might actually get our arms around this before too long.

In the meantime, 6%. It's a couple points higher than inflation, so what's the problem?

Take a look a the breach statistics compared to last year. If you don't already know the answer, a hint: It's a bit north of 6%.